vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
009e93a80b3c58bbfaa2ceb153e3fba32a6efc3c
vm-skills/secrets-vault/scripts/90_verify.sh
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

56 lines
1.8 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
source "$SCRIPT_DIR/_common.sh"
: "${VAULT_ROOT:=~/infrastructure/vault}"
: "${AGE_KEYS_FILE:=~/.config/sops/age/keys.txt}"
: "${RECIPIENTS_FILE:=$SKILL_ROOT/outputs/recipients.txt}"
main() {
vr="$(expand_path "$VAULT_ROOT")"
kf="$(expand_path "$AGE_KEYS_FILE")"
status="$SKILL_ROOT/outputs/status_matrix.json"
ok_keys=false; ok_perm=false; ok_policy=false; ok_cipher=false
[[ -f "$kf" ]] && ok_keys=true
if [[ -f "$kf" ]]; then
perm="$(stat -c '%a' "$kf" 2>/dev/null || echo "")"
[[ "$perm" == "600" ]] && ok_perm=true
fi
[[ -f "$vr/.sops.yaml" ]] && ok_policy=true
if [[ -f "$vr/secrets/cloudflare.enc.yaml" && -f "$vr/secrets/gitea.enc.yaml" && -f "$vr/secrets/registry.enc.yaml" && -f "$vr/secrets/k8s.enc.yaml" ]]; then
ok_cipher=true
fi
blockers="[]"
if [[ "$ok_keys" != "true" ]]; then blockers='["missing_age_identity"]'
elif [[ "$ok_policy" != "true" ]]; then blockers='["missing_sops_policy"]'
elif [[ "$ok_cipher" != "true" ]]; then blockers='["missing_encrypted_templates"]'
fi
cat > "$status" <<EOF
{
"skill":"secrets-vault",
"timestamp":"$(date -Iseconds)",
"vault_root":"$(json_escape "$vr")",
"checks":[
{"name":"age_identity_present", "ok": $ok_keys, "path":"$(json_escape "$kf")"},
{"name":"age_identity_perm_600", "ok": $ok_perm},
{"name":"sops_policy_present", "ok": $ok_policy, "path":"$(json_escape "$vr/.sops.yaml")"},
{"name":"encrypted_templates_present", "ok": $ok_cipher}
],
"blockers": $blockers,
"warnings": [],
"next_steps": ["commit vault ciphertext to git", "cloudflare-tunnel-manager", "container-registry"]
}
EOF
log_info "Wrote $status"
cat "$status"
}
main "$@"
Reference in New Issue View Git Blame Copy Permalink